Good day everyone,

I'm new to Mikrotik and very new to VLANs. I have read through a number of posts here and am about to start writing up my own file to implement in my home network. I am still in the learning curve of Mikrotik language so I just wanted to ask about a few of the things stated within the how-tos.

I have a RB4011iGS+5HacQ2HnD so I am trying to implement the method suggested in post #3. While reading through the RouterSwitchAP.rsc, there are a few things I am not sure how to do.
While configuring:
Access Ports: "L3 switching":
What does it mean to [find vlan-ids=10]?
IP Addressing & Routing: DNS Server:
Do I put my preferred DNS here or do I put 9.9.9.9?
IP Services: /ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
How is the dns-server=x.x.0.1? Is this defined somewhere that I missed? I haven't loaded the RB without default config yet so I am a bit uncertain how this setting works from a fresh start.

This is about as far as I've gotten through the file so far before I had enough questions that I feel comfortably lost. Figured I'd post now and get more knowledge before moving forward.

I more than likely will need to post my own topic to get more advice on how to proceed with the way I want my network laid out, but I wan to at least understand this current topic as much as I can before doing so. I've attached my network diagram (very skeleton) for ref.

Thank you so much in advance!! I've been learning so much already and have mustered enough courage to at least post something here in hopes that you fine folk can lend some expertise.

Ref: My brain idea mess - https://docs.google.com/document/d/1awd ... sp=sharing

Hey gang!

You are a very responsive group! I want to thank you for that. @anav replied within hours of my post and I am excited already.

I have added an attempt at an explanation to my want/need. Main thing here is I want to segregate my IoT wifi devices from the internet. They have no requirement to be accessible to the outside and I just want to make sure it stays that way.

The rest is just some guest and admin segregation from the regular network. Maybe I am going a bit too far here and need to pull back a bit before I jump in. Please any advice is appreciated and thank you!

Quoted questions still stand.

Thanks.


Note: Currently the RB is setup with default config and I have PPPoE working on ether1. I was not able to get the SFP+ working for my FTTH, but I believe I may be able to get that working once I have more knowledge in this VLAN thing as I think that is where my problems are stemming from in this case. I have 2 wifi setup (an IOT wifi (2GHz) and a Home wifi (5GHz).

Very doable, I have the same setup differnt router with no wifi but I use two capACs and have set it up pretty much as per the examples in the ref thread.

I use vlans for everything and one bridge to keep it clean and simple.
Home vlan (trusted users) - VLANXX

capac upstairs:
Iot devices upstairs VLANYY (2.4ghz chain)
home trusted wifi upstairs - VLANXX (5ghz chain)
Guest wifi upstairs - VLANQQ (virtual chain off 5ghz)

capac downstairs:
lot devices basement VLANZZ (2.4ghz chain)
basement trusted wifi - VLANXX (5ghz chain)
basement guest wifi - VLANSS (virtual chain off of 5ghz chain)

I would separate into different vlans
guest wifi (access to internet only)
home (trusted wifi)
iot devices (access to internet only)

The one I am not sure where it fits is google devices but would tend to put it with iot devices.

Sounds like the rest of the devices are part of the home trusted network
adminPC (will give this puppy special powers via firewall rules)
server homelab
synology
htpc ?? (guessing as I do not know that this serves as functional wise)
printer ( will create an interface list of untrusted users that you think may want to have access only to the printer in the trusted lan (one way)_)

+++++++++++++++++++++++++
oKay just seeing your google list now. Is that what you want to achieve or someones suggestion??

Hey there anav,

The google doc is brainstorming but I believe you've got most things just about covered in your explanation so far. I was trying to make a diagram/list of what I saw in my head for breaking the network into pieces. Main idea is for the IoT devices to not have access to the internet and only to be able to have mqtt/http access to the server. The google devices will need internet so they can run routines, etc as they have the google assistant active on them.

I should be able to see/control all things from the Admin PC, i.e. upload/manage the IoT devices (they are all wifi based) and ssh/remote desktop locally to the htpc and the server.

Print services for all the computers (not really necessary for guests).

The HTPC is my home theatre pc. it's an old mac-mini but it's now just running windows 10.

Does that help a bit?

Thank you!

This is just to give you an idea of how I would tackle this setup.
The technical question I dont know how to answer is to best utilize the router switching.
I put the htcp and synology (heaviest traffic folks) on the same switch chip just in case and put the other devices on the other switch chip.

Basic starting point.
vlan2=adminPC (iot, google, home wifi devices, synology, serverhomelab, htpc, internet, printer, homewifi)

vlan5 -printer (internet?? )
vlan5-homewifi (internet)

vlan10 Server home/Lab (synology printer, iot, home wifi, internet)
vlan15=home wifi_devices (internet, (synology, printer))
vlan20=synology (internet only)
vlan30=google (internet only)
vlan40=guest wifi (internet only)
vlan50=iotdevices (homeserver only)
vlan 60 = htpc (serverhomelab, internet, printer, synology)

Create bridge = bridgehome
Create vlans with interface =bridgehome
Create dhcp structures for each vlan (ip address, dhcp-server, dhcp-server network, dhcp pool)
Create bridge port structure (assuming eth1 is for WAN)
eth2 - adminpc
eth3 - homeserverlab
eth4
eth5
++++++++++++++++++++++++++++++++++++++++ eth2-5 are one switch chip /6-10 on another/ sfp port is by itself.
eth6 - htcp
eth7 - synology
eth8 -
eth9
eth10
wlan1 5ghz home wifi
wlan2 5ghz guest wifi
wlan3 5ghz google devices wifi
wlan3 2ghz (iot devices channel 1)
wlan4 2ghz (home wifi devices channel 11)

Bridge ports describe ingress behaviour
so wlans entries include PVID and have frame-types=admit-only-untagged-and-priority-tagged [access ports]
so eth port entries to non vlan capable devices are same as wlans frame-types=admit-only-untagged-and-priority-tagged [access ports]
eth port entries to vlan aware devices (smart switches etc) ingress filtering=yes [trunk ports]

Bridge vlan behaviour (egress)
add a line for each vlanid, what needs to be tagged (bridge and trunk ports), untagged (wlan and access ports).

Default firewall rules to start.
Input chain
{default rules}
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface=vlan2 src-address=adminpcIP
last rule drop all else

Forward Chain.
{default rules}
[admin access] accept in-interface=vlan2 source ip= adminpcIP, out-interface-list=ADMIN (note2)
[synology, vlan2, vlan5, wifi devices, hptc, guest wifi, google access] accept in-interface-list=INTernet out-interface=wan (note6)
[server/home access] accept in-interface=vlan10 sourceip=serverhomeIP, out-interface-list=LAB (note3)
[wifi devices access] accept in-interface=vlan15 destination address-list=wifidevices (note4)
[iot access] accept in-interface=vlan50 destination-address=homeserverlabIP
[htpc access] accept in-interface=vlan 60 destination-address-list=HTPC note5
{default rules}
last rule drop all else

note2: Make an interface list
vlan5=ADMIN
vlan10=ADMIN
vlan15=ADMIN
vlan20=ADMIN
vlan30=ADMIN
vlan40=ADMIN
vlan50=ADMIN
vlan 60 =ADMIN
note3: Make an interface list
vlan5=LAB
vlan20=LAB
vlan50=LAB
Note4: Make a firewall address list
synologyIP=wifidevices
printerIP=wifidevices
Note5: Make a firewall address list
homelabIP=HTPC
printerIP=HTPC
synologyIP=HTPC
note6: Make an interface list
vlan2=INTernett
vlan5=INTernet (this includes home wifi and printer (did you want printer to access internet??)
vlan10=INTernet
vlan15=INTernet
vlan20=INTernet
vlan30=INTernet
vlan40=INTernet
vlan 60=INTernet

The server/lab is what I use to play around with learning more networking stuffs. It's just an ubuntu pc, but I have NodeRed, MQTT, and OpenHAB (OH) running on it. OH is the central to all my home automation. So it controls everything in the house IoT.

For my IoT (lots of ESP8266), I do not have/want it to have any internet access as they are all locally controlled via OH. The OH has internet access[able] so that I can control my items via google or web app, but for now things are staying internal and I will only enable that at a later date once I feel comfortable about my network being secure enough.

I SSH into the Server to modify and add devices and configure the home automation stuff.

My Synology is where I keep files/photos/videos backed up. I have a Plex server running off that one so the home lan will need access to that.

I like your idea of beefing up the Admin PC so that it has more accesses.

The HTPC is the largest hog on bandwitch/access. It will either be looking at Netflix, YouTube, or streaming Plex or movies from the Synology. I have a few Chromecasts which will be in there as well, but they will be covered in the Google devices section.

Did I get all your questions? Thank you sooo much for the quick replies. I am amazed at the turnaround time I'm getting! Although, considering the climate we are in, many of us are probably sitting at home with not a whole lot going on. I'm working from home as it is, so I have a bit more free time on my hands.

The google devices are WiFi.

Default firewall rules to start.
Input chain
{default rules}

Good morning @anav, at least it's morning here for me, TGIF.

First of all.. WOW. I've been looking at trying to figure this all out for a long time now and you've just thrown something together in a day. Thank you and now I have some playing around to do today!

From what I've quoted above, are you saying that I would use the default firewall configs from a freshly reset RB and then add in what you have below that? I I'm learning that these have to be in order of precedence, so I gather I put everything in there, then add the drop all at the end.

Lasly, I've read a lot (with little understanding) about how there is a difference between interface VLANs and Bridge VLANs (and others..). I know that the RB4011 doesn't have one of those fancy CRS switch chips, but does this method take advantage of everything to ensure we are getting the best performance from the network? Please don't take this as doubting your hard work, I'm just trying to learn as much as I can as I go here.

Have a wonderful Friday. I will try and not drive my wife crazy with the setup and disconnects that will be happening most of today! haha.

Keep the drop all else rules till the end....... to make sure you dont lock yourself out of access to the router or on the LAN.
Also use the winbox use the SAFEBOX for all changes (upper left of screen).

Well the setup I tried to think of is probably not the most efficient but its a decent start.
In terms of using the switching capabilities to the max, that is a good question.
The problems is I am very comfortable with the new method of vlan bridging but not at all familiar with the older style of HW offloading switch chip approach.
Lets get one working and then tackle the harder one later LOL.

Okay What we can do to make this more efficient is put the hctp computer and synology on the same VLAN.
Will need to make some extra firewall rules to ensure the design requirements access to and fro are met but this will allow super great connectivity between the two and thus no extra load on the CPU for routing this heavy traffic!!

With slight modifications LOL
Basic starting point.
vlan2=adminPC (iot, google, home wifi devices, synology, serverhomelab, htpc, internet, printer, homewifi)
vlan5 -printer & homewifi (internet)
vlan10 Server home/Lab (synology printer, iot, home wifi, internet)
vlan15=home wifi_devices (internet, (synology, printer))
vlan20=synology (internet only) & htpc (server/lab, printer, internet)
vlan30=google (internet only)
vlan40=guest wifi (internet only)
vlan50=iotdevices (homeserver only)


Create bridge = bridgehome
Create vlans with interface =bridgehome
Create dhcp structures for each vlan (ip address, dhcp-server, dhcp-server network, dhcp pool)
Create bridge port structure (assuming eth1 is for WAN)
eth2 - adminpc
eth3 - homeserverlab
eth4
eth5
++++++++++++++++++++++++++++++++++++++++ eth2-5 are one switch chip /6-10 on another/ sfp port is by itself.
eth6 - htcp
eth7 - synology
eth8 -
eth9
eth10
wlan1 5ghz home wifi
wlan2 5ghz guest wifi
wlan3 5ghz google devices wifi
wlan3 2ghz (iot devices channel 1)
wlan4 2ghz (home wifi devices channel 11)

Bridge ports describe ingress behaviour
so wlans entries include PVID and have frame-types=admit-only-untagged-and-priority-tagged [access ports]
so eth port entries to non vlan capable devices are same as wlans frame-types=admit-only-untagged-and-priority-tagged [access ports]
eth port entries to vlan aware devices (smart switches etc) ingress filtering=yes [trunk ports]

Bridge vlan behaviour (egress)
add a line for each vlanid, what needs to be tagged (bridge and trunk ports), untagged (wlan and access ports).

Default firewall rules to start.
Input chain
{default rules}
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface=vlan2 src-address=adminpcIP
last rule drop all else

Forward Chain.
{default rules, fasttrack, established connected, drop invalid etc....}
[admin access] accept in-interface=vlan2 source ip= adminpcIP, out-interface-list=ADMIN (note2)
[synology, admin, homewifi, printer, wifi devices, hptc, guest wifi, google access] accept in-interface-list=INTernet out-interface=wan (note6)
[server/home access] accept in-interface=vlan10 sourceip=serverhomeIP, destination-address-list=LAB (note3)
[wifi devices access] accept in-interface=vlan15 destination address-list=wifidevices (note4)
[iot access] accept in-interface=vlan50 destination-address=homeserverlabIP
[htpc access] accept in-interface=vlan 20 source-address=htpcIP destination-address-list=HTPC note5
{default rules, defconf: drop all from WAN not DSTNATed" }
last rule drop all else

note2: Make an interface list for admin access to all vlans
vlan5=ADMIN
vlan10=ADMIN
vlan15=ADMIN
vlan20=ADMIN
vlan30=ADMIN
vlan40=ADMIN
vlan50=ADMIN

note3: Make a firewall address list for server home lab access to other devices
vlan5subnet=LAB
synologyIP=LAB
vlan50subnet=LAB

Note4: Make a firewall address list
synologyIP=wifidevices
printerIP=wifidevices

Note5: Make a firewall address list
homelabIP=HTPC
printerIP=HTPC

note6: Make an interface list for access to the internet
vlan2=INTernett
vlan5=INTernet (this includes home wifi and printer (did you want printer to access internet??)
vlan10=INTernet
vlan15=INTernet
vlan20=INTernet
vlan30=INTernet
vlan40=INTernet

Alright, I've tried my best to put this all into action and it does seem that everything is almost working!

I gave it a try and from my AdminPC I have internet but I'm having trouble with the rest. You can see my config attached.

• First thing is I can't seem to access the RB via winbox anymore. All I can get is the webgui

• Seems my Home WiFi does not have internet

• I can't seem to ping my server or the synology from the adminpc

I can see all my devices within DHCP leases, it seems that I can't get access to them.

I tried my best to follow everything that you put into there. Save for a few minor changes to vlan#.

My printer is a LAN printer and is connected to port 8. It does not need the internet to survive.

Is there something I missed or misconfigured? I didn't restart all the devices to renew IPs etc. I just tried the WiFi with my cell and can obviously still connect as it is the same SSID and pwd, but no longer have internet on them.

I'll leave it at that, I have a feeling I have bastardised something completely.

The places I got a little lost were:

• correctly configuring the DHCP structures, I'm not sure I have the gateways right;

• I don't have any trunk ports, so I believe I configured the bridge port ingress behaviour;

• I'm not good at the tagging bits, please check my file that I did it right - It also may need to change due to the printer not being connected to the internet;

• Ref firewall rles: I didn't have IPs configured for my adminpc or other devices yet, I thought I could just not include that and it would let the whole VLAN have access;

Going to eat first but will take a look at this later. Progress is starting a first config.

A problem is when you need mDNS to be able to connect to a device.

Comments
1- Get rid of legacy 88 stuff.
2 - Your WIFI is very confusing, do you not have an RB4011 with wifi????
It is supposed to have 5 Chains!!
You should be able to assign wlan1- 5ghz, wlan2 - 5ghz, wlan3 - 5ghz, wlan 4- 2ghz, wlan 5- 2ghz or something like that.
Its missing wlans too.
3 - dont forget vlan 5 is home wifi, vlan15 is home wifi devices (in your config you have dropped the word devices from vlan15 entries making the config very confusing.)
4 - Errors also in that you need to apply actual IPs for firewall address lists and one of your firewall address lists is supposed to be an interface list!

/interface bridge
add admin-mac=C4:AD:34:60:85:C1 auto-mac=no name="Home Bridge"
/interface ethernet
set [ find default-name=ether1 ] name="1 - Valerie WAN"
set [ find default-name=ether2 ] name="2 - AdminPC"
set [ find default-name=ether3 ] name="3 - Server"
set [ find default-name=ether4 ] name="4 - Work PC"
set [ find default-name=ether5 ] name="5 - RPi"
set [ find default-name=ether6 ] name="6 - HTPC"
set [ find default-name=ether7 ] name="7 - Synology"
set [ find default-name=ether8 ] name="8 - Printer"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface="1 - Valerie WAN" name=\
"PPPoE WAN" service-name="Virgin Mobile PPPoE" user=\
REDACTED@virginmobile.ca
/interface vlan
add interface="Home Bridge" name="AdminPC VLAN101" vlan-id=101
add interface="Home Bridge" name="Google VLAN30" vlan-id=30
add interface="Home Bridge" name="Guest WiFi VLAN40" vlan-id=40
add interface="Home Bridge" name="Home WiFi ??? Devices VLAN15" vlan-id=15
add interface="Home Bridge" name="IoT VLAN50" vlan-id=50
add interface="Home Bridge" name="Printer & Home WiFi VLAN5" vlan-id=5
add interface="Home Bridge" name="Server/Lab VLAN10" vlan-id=10
add interface="Home Bridge" name="Synology & HTPC VLAN20" vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
]add name=Admin
add name=Internet

(5) Until we get the number of chains resolved not much we can do on wifi................. you need to use all five chains
iotdevices 2ghz, home wifi devices -2ghz home wifi - 5ghz, guest wifi-5ghz, google-5ghz
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=canada disabled=no distance=indoors frequency=\
auto hide-ssid=yes installation=indoor mode=ap-bridge name="Home WiFi" \
secondary-channel=auto security-profile=home ssid="JBHLMH Home 5GHz" \
wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
country=canada disabled=no frequency=2452 mode=ap-bridge name="IoT WiFi" \
security-profile=iot ssid="JBHLMH IoT 2GHz" wireless-protocol=802.11 \
wps-mode=disabled
add hide-ssid=yes keepalive-frames=disabled mac-address=76:4D:28:BE:98:0E \
master-interface="IoT WiFi" multicast-buffering=disabled name=\
"Backup IoT WiFi" security-profile=iot ssid="JBHLMH IoT Backup" \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:60:85:CD \
master-interface="Home WiFi" multicast-buffering=disabled name=\
"Google WiFi" security-profile=iot ssid="JBHLMH Google 5GHz" \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name="Default Pool" ranges=192.168.88.10-192.168.88.254
add name="Admin Pool" ranges=192.168.101.2-192.168.101.254
add name="Printer & Home WiFi Pool" ranges=192.168.5.1-192.168.5.254
add name="Server Pool" ranges=192.168.10.1-192.168.10.254
add name="Home WiFi Pool" ranges=192.168.15.2-192.168.15.254
add name="Synology and HTPC Pool" ranges=192.168.20.2-192.168.20.254
add name="Google Pool" ranges=192.168.30.2-192.168.30.254
add name="Guest WiFi Pool" ranges=192.168.40.2-192.168.40.254
add name="IoT Pool" ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool="Default Pool" disabled=no interface="Home Bridge" name=\
"Default DHCP"
add address-pool="Admin Pool" disabled=no interface="AdminPC VLAN101" name=\
"Admin DHCP"
add address-pool="Printer & Home WiFi Pool" disabled=no interface=\
"Printer & Home WiFi VLAN5" name="Printer & Home WiFi DHCP"
add address-pool="Server Pool" disabled=no interface="Server/Lab VLAN10" \
name="Server DHCP"
add address-pool="Home WiFi ???? (devices) Pool" disabled=no interface="Home WiFi VLAN15" \
name="Home WiFi DHCP"
add address-pool="Synology and HTPC Pool" disabled=no interface=\
"Synology & HTPC VLAN20" name="Synology & HTPC DHCP"
add address-pool="Google Pool" disabled=no interface="Google VLAN30" name=\
"Google DHCP"
add address-pool="Guest WiFi Pool" disabled=no interface="Guest WiFi VLAN40" \
name="Guest WiFi DHCP"
add address-pool="IoT Pool" disabled=no interface="IoT VLAN50" name=\
"IoT DHCP"
/interface bridge port
add bridge="Home Bridge" comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface="2 - AdminPC" pvid=101
add bridge="Home Bridge" comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface="3 - Server" pvid=10
add bridge="Home Bridge" comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface="4 - Work PC" pvid=40
add bridge="Home Bridge" comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface="5 - RPi" pvid=10
add bridge="Home Bridge" comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface="6 - HTPC" pvid=20
add bridge="Home Bridge" comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface="7 - Synology" pvid=20
add bridge="Home Bridge" comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface="8 - Printer" pvid=5
add bridge="Home Bridge" comment=defconf disabled=yes interface=ether9
add bridge="Home Bridge" comment=defconf disabled=yes interface=ether10
add bridge="Home Bridge" comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface="Home WiFi ???Devices" pvid=15
add bridge="Home Bridge" comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface="IoT WiFi" pvid=50
add bridge="Home Bridge" disabled=yes interface="Backup IoT WiFi" what the heck is this LOL.
add bridge="Home Bridge" frame-types=admit-only-untagged-and-priority-tagged \
interface="Google WiFi" pvid=30
{missing home wifi vlan 5}
{missing guest wifi vlan 40}
/ip neighbor discovery-settings
set discover-interface-list=LAN

6. Yikes, major clean up here........stuff in reds gotta go
/interface bridge vlan
add bridge="Home Bridge" tagged="Home Bridge" untagged="2 - AdminPC,3 - Server\
,4 - Work PC,5 - RPi,6 - HTPC,7 - Synology,8 - Printer,Home WiFi,Google Wi\
Fi,IoT WiFi" vlan-ids=101
add bridge="Home Bridge" tagged="Home Bridge" untagged=\
"8 - Printer,Home WiFi,1 - Valerie WAN" vlan-ids=5
add bridge="Home Bridge" tagged="Home Bridge" untagged=\
"3 - Server,7 - Synology,8 - Printer,Home WiFi,1 - Valerie WAN" vlan-ids=\
10
add bridge="Home Bridge" tagged="Home Bridge" untagged=\
Home WIFI Devices WLAN "1 - Valerie WAN,7 - Synology,8 - Printer" vlan-ids=15
add bridge="Home Bridge" tagged="Home Bridge" untagged=\
"6 - HTPC", "7 - Synology" "1- Valerie WAN,3 - Server,8 - Printer" vlan-ids=20
add bridge="Home Bridge" tagged="Home Bridge" untagged= google wlan "1 - Valerie WAN" \
vlan-ids=30
add bridge="Home Bridge" tagged="Home Bridge" untagged= guest wifi wlan "1 - Valerie WAN" \
vlan-ids=40
add bridge="Home Bridge" tagged="Home Bridge" untagged="IoT WiFi "3 - Server" vlan-ids=\
50
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface="Home Bridge" list=LAN
add comment=defconf disabled=yes interface="1 - Valerie WAN" list=WAN
add interface="PPPoE WAN" list=WAN
add interface="Printer & Home WiFi VLAN5" list=Admin
add interface="Server/Lab VLAN10" list=Admin
add interface="Home WiFi VLAN15" list=Admin
add interface="Synology & HTPC VLAN20" list=Admin
add interface="Google VLAN30" list=Admin
add interface="Guest WiFi VLAN40" list=Admin
add interface="IoT VLAN50" list=Admin
add interface="AdminPC VLAN101" list=Internet
add interface="Printer & Home WiFi VLAN5" list=Internet
add interface="Server/Lab VLAN10" list=Internet
add interface="Home WiFi VLAN15" list=Internet
add interface="Synology & HTPC VLAN20" list=Internet
add interface="Google VLAN30" list=Internet
add interface="Guest WiFi VLAN40" list=Internet
/ip address
add address=192.168.88.1/24 comment=defconf interface="Home Bridge" network=\
192.168.88.0
add address=192.168.101.1/24 interface="AdminPC VLAN101" network=\
192.168.101.0
add address=192.168.5.0/24 interface="Printer & Home WiFi VLAN5" network=\
192.168.5.0
add address=192.168.10.0/24 interface="Server/Lab VLAN10" network=\
192.168.10.0
add address=192.168.15.0/24 interface="Home WiFi VLAN15" network=192.168.15.0
add address=192.168.20.0/24 interface="Synology & HTPC VLAN20" network=\
192.168.20.0
add address=192.168.30.0/24 interface="Google VLAN30" network=192.168.30.0
add address=192.168.40.0/24 interface="Guest WiFi VLAN40" network=\
192.168.40.0
add address=192.168.50.0/24 interface="IoT VLAN50" network=192.168.50.0
/ip dhcp-client
add comment=defconf interface="1 - Valerie WAN"
/ip dhcp-server lease
add address=192.168.88.203 client-id=1:0:4:20:f0:9:54 mac-address=\
00:04:20:F0:09:54 server="Default DHCP"
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.15.0/24 gateway=192.168.15.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.60.0/24 gateway=192.168.60.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.101.0/24 gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

7. This is also an area with some issues.

Remember
Note4: Make a firewall address list
synologyIP=wifidevices - you need the IP address of the synology here!! it needs to be made static.
printerIP=wifidevices - same comment for printer IP

Note5: Make a firewall address list
homelabIP=HTPC - same comment for homelabIP
printerIP=HTPC - same comment for printerIP
synologyIP=HTPC - same comment for synology IP.

note3: Make a firewall address list for server home lab access to other devices
vlan5subnet=LAB
synologyIP=LAB
vlan50subnet=LAB

/ip firewall address-list
add address=192.168.5.0/24 list=LAB OK
add address=192.168.20.0/24 list=LAB
[add address=192.168.50.0/24 list=LAB OK
add address=192.168.20.0/24 list="WiFi Devices"
add address=192.168.5.0/24 list="WiFi Devices"
add address=192.168.20.0/24 list=HTPC
add address=192.168.5.0/24 list=HTPC

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="VLAN Allow Admin to Router" \
in-interface="AdminPC VLAN101" (add source IP address= admin PC (put in the actual IP of the admin pc as well)
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="VLAN Admin Access" in-interface=\
"AdminPC VLAN101" out-interface-list=Admin source-ip=adminpcIP (like above put in actual ip of admin pc)
add action=accept chain=forward comment="VLAN Internet Access" \
in-interface-list=Internet out-interface-list=WAN
add action=accept chain=forward comment="Server Access" dst-address-list=LAB \
in-interface="Server/Lab VLAN10" source ip=serverhomeIP
add action=accept chain=forward comment="VLAN WiFi Device Access" \
dst-address-list="WiFi Devices" in-interface="Home WiFi VLAN15"
add action=accept chain=forward comment="VLAN IoT Access" dst-address-list=\
LAB dst-address= serverlabIP in-interface="IoT VLAN50"
add action=accept chain=forward comment="VLAN HTPC Access" dst-address-list=\
HTPC in-interface="Synology & HTPC VLAN20" src-address-list=HTPC src-address=htpcIP
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

Ok, I'm going to work on these changes.

However, wrt the wlan3/4 I am not certain I know how to enable this. Yes, it is a 4-chain 5GHz and 2-chain 2GHz, but I only can see 2 wlan interfaces... Is there something I am doing wrong?

I removed the backup, sorry that was me playing around! here is a pic, and printout of my wireless.. Note, this is just in it's current state running without vlans enabled.
Only thing I can see to make is more virtual wireless interfaces.. Is this what you mean?

I'll work on the rest for now.

I will endeavour to find out. My capac has two chains and I have a 2ghz wlan and a 5ghz wlan. Anything above that is virtual.
Reading the literature it says the rb4011 should have 4x 5ghz chains, and 2x 2ghz chains so SIX in total.

Number of chains has nothing to do with number of master wlan interfaces, it's tge number of radios (and each radio can have one or more chain). @anav's cAP ac devices have tewo radios (2.4GHz and 5GHz) and each radio has 2 chains (for 2x2 MIMO).

Hmmmmmmmm
Okay so in my capac, I have two radios and thus only 2 master WLANs to configure?
The rest have to be virtual.
So what is the benefit of having 2 chains per radio then?? One chain is for the master WLAN and one for as many virtual radios??

So in the RB4011 there are also two radios,
So he will only have two master WLANs, one for 2gig and one for 5gigh

So what the hell good is 4 chains for the 5ghz radio and 2 chains for the 2ghz radio............. man I know shit and its very confusing and frustrating. Why cant this be rationally explained in plain english.

Okay dude, guess we are stuck on making virtual radios
So decide which will be 5ghz and which will be 2ghz.
house wifi- ?
guest wifi -?
google wifi -?
iot devices wifi -?
home wifi devices -?

Typically IOT devices work best in 2ghz domain. Not sure about google devices or your home wifi devices.
The pita is that each 2ghz radio will be sharing the same frequency so pick this very carefully, as far away from noise as possible.
I would put the home wifi and guest wifi at the 5ghz domain.

5ghz Master - home wifi on mine I have scan-list=5175-5185,5195-5205,5215-5225
5ghz Virtual - guest wifi
[5ghz Virtual - googe devices]

2ghz Master - iot devices
2ghz Virtual home wifi devices
[2 ghz Google home devices ]

Ok, so I've tried to configure it again and removed the 88 stuffs and fixed the items like you said.

Seems i've still got some issues.

So decide which will be 5ghz and which will be 2ghz.

wlan1 5ghz home wifi
wlan2 5ghz guest wifi (virtual)
wlan3 5ghz google devices wifi (virtual)
wlan4 2ghz (iot devices channel 1)
wlan5 2ghz (home wifi devices channel 11) (virtual)

I just haven't designated channels yet. I'll have to scan to see what's best where I live. There are a number of other WiFi folks nearby.

Here is the latest config. I still don't have wifi internet (5GHz at least that I have checked) nor do I have winbox access from my adminpc. I still have internet on it though.. seeing as this is how I'm posting to you. But I will revert from vlan-filtering on the bridge and see what we can do next.

Is there something I've done wrong in the firewall?

Probably not included in hide-sensitive configs, but can you confirm that you have IP Service setup for winbox with your adminpc having access??

Also under tools, for mac server, that for the winbox server, ensure the vlan101 interface is set there as allowed interface

Probably not included in hide-sensitive configs, but can you confirm that you have IP Service setup for winbox with your adminpc having access??

Also under tools, for mac server, that for the winbox server, ensure the vlan101 interface is set there as allowed interface

Ok, I have set this.

I'll update in a bit to see what happens.

So when I change the MAC Server settings to the admin interface list, I can no longer access the device from winbox PRIOR to removing all the 88 stuffs. Once I remove all the 88 items, then I can only access through IP, and only after I manually set my AdminPC IP to 101. When my adminPC connects and gets an auto IP, I can see the RB in winbox, but can't connect. Once I manually set the IP, it no longer appears...

At least this is what I think I am seeing.

When I set VLAN Filtering on the bridge, I'm assuming that I set it to Admit all, or am I supposed to use a diff setting there?

All of my devices get set to the right IPs/VLAN addresses once their leases expire.

This is what my RB looks like in winbox. It has no IP?

All the IP we have talked about have to be static, or the rules wont work.
So what you do, is go to the IP main menu selection.
Choose the DHCP Server sub selection
Then select Leases (third from the left at the top)

If your PC or device has been assigned the IP you want it to have then simply make it a static entry after opening it up.
If its already set static then that option is not visible.

If the device has a different IP address but you are happy with it, then set this IP as static, and then change any rules in the config so the IPs match.

Lastly you can add your device as an entry that you want IP address, but you will need the mac address, make this selection static then delete the old/wrong one.

Ok, so I don't know what to ask/say. I've made all the IPs static: Synology, printer, Server, Admin, HTPC.

I can connect via winbox from AdminPC, but only using IP of the RB, not using MAC. I've configured the winbox settings the way you said, but I haven't seen a difference either way.

Still no internet on other vlans and I haven't been able to ssh into the server or get onto the synology webpage, even though I see them on the network.

I have backups made of each working and non-working configs so eventually we'll find where it is blocked.

Thanks a bunch. Let me know what you think I've configured wrong?

So what is the benefit of having 2 chains per radio then?? One chain is for the master WLAN and one for as many virtual radios??

Multiple chains per radio are for MIMO and MIMO (theoretically) multiplies throughput (2x2 MIMO offers double throughput as compared to 1x1 MIMO).

To buzzed to make a reasonable try at the config had a quick look and seemed okay but tomorrow is another day/.

So what is the benefit of having 2 chains per radio then?? One chain is for the master WLAN and one for as many virtual radios??

So in the RB4011 there are also two radios,
So he will only have two master WLANs, one for 2gig and one for 5gigh

So what the hell good is 4 chains for the 5ghz radio and 2 chains for the 2ghz radio............. man I know shit and its very confusing and frustrating. Why cant this be rationally explained in plain english.

Not that confusing, if you let go the idea that WLAN definitions are bound to specific chains. They are not.
There is one radio per band in this device, like most devices, so there is one physical WLAN per band. (Exception is the "Audience" which has 2 radio's in 5 GHz)

The radio is bound to a physical WLAN interface in RouterOS. One radio - one physical interface. If the radio has multiple chains, which each end on an antenna, then that radio can communicate over multiple spatial streams. E.G; a 2 chain radio, can communicate with a 2 chain/antenna device with 2 spatial streams. This means dubbeling the transmission throughput. (MCS14 is double the interface rate of MCS07, it uses 2 spatial streams) . Using 2 spatial streams is very common with tablets, smartphones, PC's and MacBooks.

Within the physical WLAN configuration you set some parameters of the radio (channel width, TX power, channel or frequency, which chains used). Those values are shared with all the virtual WLANs defined on this physical WLAN. They cannot be set in the virtual WLAN. However things like mode (AP bridge, bridge, station bridge, ...), SSID, security, WDS, etc can be different.from the physical setting. The transmission and reception shares the radio and its settings among the physical and virtual interfaces.

There is no way to split things like chains over different virtual WLAN's. All virtual WLANs use the resources and settings of the master physical WLAN. The same for the frequency channels, only defined by the physical WLAN settings. There is no difference is performance or treatment of the physical or the virtual WLAN.

The advantage of the 4 chains in the 5 GHz band, is that if you communicate with another device that has 4 chains, you have 4 times the interface bandwidth compared to a single spatial stream. Other benefits are the fact that the radio will combine the received signal to get the best connection. And as far as beamforming is available in 802.11ac it will use beamforming with the antenna to transmit.

(Disadvantage of 4 chains is that the setting of the regulatory domain and the legal power limitations, will reduce the transmitpower with 6dB for 4 antenna, or 3 dB for 2 antenna (10*log3 for 3 antenna) But RouterOS lets you disable specific chains if you want, This is a setting for the physical WLAN only, and is also used in the virtual WLANs of course.)

@bpwl,

Thanks for the great explanation! I appreciate learning how this MIMO and chains thing all works.


So, I've fiddled with it and haven't got any further. I really am not good at this VLAN thing. I await those more knowledgeable than I!


Thanks.

Took me a while to find anything askew LOL.......... Fix the ones in red!!
/ip address
add address=192.168.101.1/24 interface="AdminPC VLAN101" network=\
192.168.101.0
add address=192.168.5.0/24 interface="Printer & Home WiFi VLAN5" network=\
192.168.5.0
add address=192.168.10.0/24 interface="Server/Lab VLAN10" network=\
192.168.10.0
add address=192.168.15.0/24 interface="Home WiFi Devices VLAN15" network=\
192.168.15.0
add address=192.168.20.0/24 interface="Synology & HTPC VLAN20" network=\
192.168.20.0
add address=192.168.30.0/24 interface="Google VLAN30" network=192.168.30.0
add address=192.168.40.0/24 interface="Guest WiFi VLAN40" network=\
192.168.40.0
add address=192.168.50.0/24 interface="IoT VLAN50" network=192.168.50.0

Took me a while to find anything askew LOL.......... Fix the ones in red!!
/ip address
add address=192.168.101.1/24 interface="AdminPC VLAN101" network=\
192.168.101.0
add address=192.168.5.0/24 interface="Printer & Home WiFi VLAN5" network=\
192.168.5.0
add address=192.168.10.0/24 interface="Server/Lab VLAN10" network=\
192.168.10.0
add address=192.168.15.0/24 interface="Home WiFi Devices VLAN15" network=\
192.168.15.0
add address=192.168.20.0/24 interface="Synology & HTPC VLAN20" network=\
192.168.20.0
add address=192.168.30.0/24 interface="Google VLAN30" network=192.168.30.0
add address=192.168.40.0/24 interface="Guest WiFi VLAN40" network=\
192.168.40.0
add address=192.168.50.0/24 interface="IoT VLAN50" network=192.168.50.0

Ok, so putting a 1 at the end of each of those addresses has made it able for me to connect to things from admin it seems. However, I believe that all VLANs have internet at this time. My IoT wifi still has internet.

Question I suppose I have is when I enable VLAN filtering on the bridge, do I use accept all, or do I use a different option?

Winbox is still only accessible via IP and not MAC.

I'm going to have to try and see how to test all the limitations I've put in. Lol.

Thanks!

Winbox is still only accessible via IP and not MAC.

Winbox MAC access is only for interfaces in the LAN interface list. Either add VLAN interfaces to the LAN interface list, or change this rule

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Did you add in the last rule yet in the forward chain?
add action=drop chain=forward comment="Drop all else"

When you do that all intervlan traffic at L3 unless allowed in your rules will be stopped as well as vlan50 access to the internet.

Oh, Derp! I forgot that one...


Ok, that went and did it.

Thank you!!!! I have posted the final conf for anyone that wants to see.

FYI, the reason that my IoT devices are all offline is because the only item they need to speak to is the home automation server. Everything is controlled locally and thus even though I 'could' update the esp8266 OTA, I much rather not have them accessible. Just another hole plugged up in the network.

@anav, you are amazing, and as a fellow Canuck hats off to you!

Oh, Derp! I forgot that one...


Ok, that went and did it.

Thank you!!!! I have posted the final conf for anyone that wants to see.

FYI, the reason that my IoT devices are all offline is because the only item they need to speak to is the home automation server. Everything is controlled locally and thus even though I 'could' update the esp8266 OTA, I much rather not have them accessible. Just another hole plugged up in the network.

@anav, you are amazing, and as a fellow Canuck hats off to you!

We are living in interesting times where helping each other virtually and staying away physically is the way

So I'm still working on things.

I have my devices all connected and working on their respective VLANs. I can connect or not connect to the internet where I want.

I have my OpenHAB and MQTT running on port 8080 and 1883 respectively on the Server 20.20. I can connect to the MQTT from my adminPC but I cannot from the IoT devices VLAN50.
I cannot access my OpenHAB from AdminPC.

The VLAN IoT Access filter, is it working the way I seem to want it to? Devices on VLAN50 should be able to talk back and forth with Server on VLAN20. I think 1883 is probably the only port right now, but can someone show me how to make that rule work for one port and I can replicate it for others if the need arises?

Same seems to go for VLAN20 to VLAN101 when I'm trying to get to 8080, or 1880 (NodeRed).

Same config as previous post.

I do not know what you are referring to as MTT etc.......
Remember if we allow traffic from A to B, then any requests from A to B ie expecting replies will be allowed back through.
What is stopped is any new traffic from B to A (that was not initiated on the A side -- hope that makes sense.

So, I want the Server to be able to see the internet and the IoT devices to not. But I need the IoT devices and the Server to be able to exchange information between each other.

• MQTT: https://en.wikipedia.org/wiki/MQTT I use this for the wifi devices as clients to be controlled and report status to the Server as the host.
• NodeRed: https://en.wikipedia.org/wiki/Node-RED I use this to make rules to control my devices in the house. i.e: motion sensor to turn on a light. On the Server.
• OpenHAB: https://www.openhab.org/ The brains of it all, on the Server

I can confirm that things are all still running on my server, as I can reach them from the AdminPC, but I can't seem to get the IoT devices to be able to login/report to the Server. The server should be able to talk back and forth with the IoT devices through MQTT (on port 1883). They need to login to the mqtt server and report periodically their statuses, and not always as a pull from the server but most of the time as a push. i.e. a temp sensor updating the new temperature in a room.

So how can I allow that specific traffic between IoT (VLAN50) devices and Server (VLAN10)? Is this going to compromise something else? Perhaps there is a different way we can set it up? Like putting the server in that vlan and only allowing it to connect to the internet but no other device there? Just shooting ideas...

Don't listen to me... i'm potentially an idiot in this case. I am getting a little tired and making my own mistakes. I think everything is working as it should..

Thanks again everyone for all your great responses.

No worries, when not so tired, take a day off LOL, come back and we can hash out the smaller issues if any remain.
It all comes down to stating the use case requirements accurately and then we modify the config accordingly.
It is not uncommon after product delivery (software) that 80-90% of the errors are not bugs but errors in requirements.

Good Morning!

I thought I would try and post a new question here as I just ran into a requirement for one of my devices.

The Server that is mentioned above, I would like to open it up to the internet on tcp port 4042. I've installed the Dynu script and it seems to be working..(https://www.dynu.com/DynamicDNS/IPUpdat ... ynamic-DNS)

I haven't been able to write the correct Firewall or NAT rules to have it show as open.

I have not changed any rules or such, other than at the dynu link, and I did not use the doubleNAT version. How do I get this to work?

Hmm seems to be many scripts out there here is mine that I use with dyndns.......... Looks identical...............

As far as the Server goes.......192.168.10.10
You already have 2/3 requirements met.

1. FIREWALL FORWARD RULE that will allow incoming traffic to your server after negotiating the DST NAT RULE.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

2. SOURCE NAT RULE that keeps tracking of outgoing (originating behind the router) and then returning packets
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

3. DESTINATION NAT RULE, is required to tell the router where the packets should go when arriving at the wan interface.
/ip firewall nat
add action=dst-nat chain=dstnat comment="SERVER PORT FORWARDING" \
in-interface-list=WAN protocol=tcp dst-port=XX to-address=192.168.10.10

IF you were looking for port translation then it would be like....
add action=dst-nat chain=dstnat comment="SERVER PORT FORWARDING" \
in-interface-list=WAN protocol=tcp dst-port=YY to-address=192.168.10.10 to-ports=XX

Thanks for the quick reply anav,

From your post, I already have 1 and 2 from previous configurations.

I added the third (firewall nat) rule. I am not trying to port translate. I am able to connect to the server on the desired port from my ADMIN computer. However, when I try to connect to it from outside my network I get nothing.

Trying with the dns from dynu, I can see the mikrotik mainpage if I try from my ADMIN computer, but nothing from outside the network.

Any thoughts?

How are you trying to connect to it from the outside??

By the way I just signed up for dynu, and used the microtik cloud ddns (as one can assign a cname in dynu) and thus you dont need a script on the router at all!!!

Is your admin PC in the same SUBNET as the server?? I thought it was a different VLAN??

My admin PC is on VLAN101, the server on VLAN10. Note that the ADMIN PC has access to everything on the network.


Oh, do tell about this mikrotik cloud ddns. Do I just use enable the cloud function within mikrotik and then some config on the dynu side?

Edit:
Ok, I got the CName cloud ddns working.

I still can't get access to the server from the outside..

can you post a complete config again or email it to me.

can you post a complete config again or email it to me.

Emailed to you.

I have never used this setting.........I would get rid of it.
/interface detect-internet
set detect-interface-list=WAN

Why do you have this enabled..............
/ip upnp
set enabled=yes

I would consider turning this off set to none,,,,, if the functionality is not required
/tool mac-server
set allowed-interface-list=LAN

Other than that I cannot see what could be preventing port forwarding from working??
I am not familiar with pppoe interfaces and maybe it doesnt like in-interface-list=WAN ??? in the dstnat rule - its a stretch

try: in-interface=pppoe wan

Well, I tried diff configs on that rule.. There is no pppoe-wan interface..

Admin
Internet
LAN
WAN
All
Dynamic
None

The detect internet is my fault. I forgot it on. It's set to none now..

from your config???
/interface list member
add comment=defconf interface="Home Bridge" list=LAN
add interface="PPPoE WAN" list=WAN


Hmm maybe try putting as a member of the list=WAN
add interface="1 - Valerie WAN" list=WAN

Trying all the other interfaces wont work LOL.
but if the above is correct then in-interface-list=WAN should work.

Added 1- Valerie to the WAN list. Seems a bit redundant as PPPoE WAN is using 1-Valerie to connect to the internet..

No dice.

so the PPPoE WAN is using port 1 which is connected to the ISP router. I don't have anything connected to the ISP router... There is the possibility that there is some double NAT'ing going on there?

Edit: I thought by using the PPPoE it would avoid double NAT. I'm a bit confused now...

Is this maybe what is causing the problems? How would I switch over from PPPoE to using an IP from the ISP router?

Okay lets zero in on your ISP connection.
Is it DSL, Cable, Fiber etc.
Is it cellular??

How are you physically connecting the ISP to the Mikrotik??

I am with Virgin Mobile, sub of Bell (canadian ISPs).

I have a Valerie all-in-one that brings FTTH. on eth1 of Valerie, I have the Mikrotik connected to eth1. I am using PPPoE from the Mikrotic to enable the web access. I went the PPPoE route because I thought it would help remove the possibility of double NAT.

The rest is in the config I sent you.

I am with Virgin Mobile, sub of Bell (canadian ISPs).

I have a Valerie all-in-one that brings FTTH. on eth1 of Valerie, I have the Mikrotik connected to eth1. I am using PPPoE from the Mikrotic to enable the web access. I went the PPPoE route because I thought it would help remove the possibility of double NAT.

The rest is in the config I sent you.

I guess what are the options on the FTTH?
Is it a modem or a modem/router?
Can you access the FTTH?
If so is there a bridge passthrough mode?

Does the FTTH provide pppoe output?
Can you give me an example of what IP address it gives you - just use fake numbers but so we get the idea of what it looks like?

This may be your unit but it only shows WIFI connection.......???
https://www.virginmobile.ca/en/support/ ... stall.html

Ref: https://www.virginmobile.ca/en/support/ ... uides.html

It is a modem/router. and the options inside are less than desirable. There is no bridge mode/passthrough modes.

Right now the way I have it hooked up, when I login to Valerie, I don't see any other devices connected. I have Wifi disabled, and eth shows nothing connected. The PPPoE is logged on Valerie (it has an IP assigned to it) and the PPPoE on the Mikrotik is logged on (it has a separate IP).

That's about all I can do with it?

It looks like you are trying to use pppoe on a built in wifi router modem.
Suggest you call Virgin and let them know you want a unit that is configured only as a modem and not a wifi router and see what they say.

Yes it would appear you are screwed into a double nat scenario unless the IP you pull, I am assuming that you can connect to it via ethernet, may be wide open.
To check attach ethernet to the wan port but just assume its a straight ethernet connection (aka cable) and NOT pppoe connection.


Call them and state you want to use your own router and see what they do. They may be able to do something over the lines or you may need a new device from them??

Wow, it is taking me so long to get back to this!

I haven't called the ISP yet. I wanted to first try the other option you just mentioned being without the PPPoE connection. I'm not exactly sure how to configure the switch to remove the pppoe and let it get internet straight from the ISP modem. The only place I can see to configure that is from the quickset page.. but that looks like it is going to change a lot more than just my pppoe settings.

Thanks for your help.

First thing I need is the latest config. So that I am working with the latest actual setup.

emailed to you!

Taking a look at the config,
I would do a couple of things differently
for example on interface-list members.
Remove the bridge - LAN
and replace with all the vlans - LAN
also add the ethernet-1 to WAN (to go along iwth the pppoe name) to wan.
Then see if your results change.


next........
Ive established I can ping your server and I believe attempt to connect via SSH but obviously dont have the right parameters.
So it looks like the connectivity may be there. Is it possible there are some settings on the SSH server that is blocking?

only other thing I can think of is modify the destination nat rule from this
add action=dst-nat chain=dstnat comment="SERVER PORT FORWARDING" dst-port=\
2202 in-interface-list=WAN protocol=tcp to-addresses=192.168.10.10 \
to-ports=22

TO
add action=dst-nat chain=dstnat comment="SERVER PORT FORWARDING" dst-port=\
2202 dst-address-list=mydnscloudIP protocol=tcp to-addresses=192.168.10.10 \
to-ports=22

where in firewall address list you make
add address= your cloudddns name list=mydnscloudIP ( the router will resolve the name to an IP)

Finally, if nothing above works,
try disabling not deleting this rule and try again, just wondering if its interfering some how??
add action=accept chain=forward comment="Server Access" dst-address-list=LAB \
in-interface="Server/Lab VLAN10" src-address=192.168.10.10

Ok, just to make sure I understand what you are saying here.

• Remove the bridge - LAN --- I will remove/disable: add comment=defconf interface="Home Bridge" list=LAN
• Replace with all the vlans - LAN --- I will change all items from list=Interneet to list=LAN
• Add the ethernet-1 to WAN --- "1 - Valerie WAN" to list=WAN

Before I go any further I want to make sure I understand the instructions! I can do these changes and then can work on the rules/filters later.

Thanks.

Ok, just to make sure I understand what you are saying here.

• Remove the bridge - LAN --- I will remove/disable: add comment=defconf interface="Home Bridge" list=LAN
• Replace with all the vlans - LAN --- I will change all items from list=Interneet to list=LAN
• Add the ethernet-1 to WAN --- "1 - Valerie WAN" to list=WAN

Before I go any further I want to make sure I understand the instructions! I can do these changes and then can work on the rules/filters later.

Thanks.

Yup that is correct but no need to replace the internet ones just make another list for LAN, you may wish at some time or another to block access to the internet and that way you just remove that entry etc.............. which doesnt frig up any rules just for LAN.